Skip to content

Adding signature v4 to S3 client #6365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 30, 2025
Merged

Adding signature v4 to S3 client #6365

merged 5 commits into from
Jul 30, 2025

Conversation

galvana
Copy link
Contributor

@galvana galvana commented Jul 21, 2025
edited by jira bot
Loading

Closes ENG-1021

Description Of Changes

Adding signature_version=s3v4 to our S3 client to support KMS buckets in S3.

Steps to Confirm

  1. Refer to the test_s3_signature_version_4 test. It creates pre-signed URLs with and without the signature version.

Pre-Merge Checklist

  • Issue requirements met
  • All CI pipelines succeeded
  • CHANGELOG.md updated
    • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
    • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
    • Updates unreleased work already in Changelog, no new entry necessary
  • Followup issues:
    • Followup issues created
    • No followup issues
  • Database migrations:
    • Ensure that your downrev is up to date with the latest revision on main
    • Ensure that your downgrade() migration is correct and works
      • If a downgrade migration is not possible for this change, please call this out in the PR description!
    • No migrations
  • Documentation:
    • Documentation complete, PR opened in fidesdocs
    • Documentation issue created in fidesdocs
    • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
    • No documentation updates required

@galvana galvana marked this pull request as ready for review July 21, 2025 17:06
@vercel Vercel
Copy link

vercel bot commented Jul 21, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments
Name Status Preview Comments Updated (UTC)
fides-plus-nightly ⬜️ Ignored (Inspect) Visit Preview Jul 30, 2025 4:44am
fides-privacy-center ⬜️ Ignored (Inspect) Jul 30, 2025 4:44am

@galvana galvana requested a review from thabofletcher July 29, 2025 19:23
galvana
galvana commented Jul 29, 2025
View reviewed changes
src/fides/api/util/aws_util.py
Comment on lines +105 to +106
s3_config = Config(signature_version="s3v4")
return session.client("s3", config=s3_config)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the fix

tests/ops/service/storage/test_s3.py
Comment on lines +832 to +840
# Verify old URL fails
response = requests.get(old_presigned_url, timeout=10)
assert (
response.status_code != 200
), "URL without signature v4 should fail for KMS objects"
assert (
"require AWS Signature Version 4" in response.text
or response.status_code == 400
)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reproduces the issue from prod before the fix

tests/ops/service/storage/test_s3.py
Comment on lines +865 to +870
# Verify v4 URL works
response = requests.get(fixed_presigned_url, timeout=10)
assert (
response.status_code == 200
), "URL with signature v4 must work for KMS objects"
assert response.content == test_content
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New URL works 👍

@codecov Codecov
Copy link

codecov bot commented Jul 29, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.97%. Comparing base (6238608) to head (e7cb95e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6365   +/-   ##
=======================================
  Coverage   86.97%   86.97%           
=======================================
  Files         454      454           
  Lines       28961    28963    +2     
  Branches     3228     3228           
=======================================
+ Hits        25190    25192    +2     
  Misses       3052     3052           
  Partials      719      719

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

thabofletcher
thabofletcher approved these changes Jul 29, 2025
View reviewed changes
Copy link
Contributor

@thabofletcher thabofletcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 🚀 🚀

@galvana galvana merged commit 6fa9cf9 into main Jul 30, 2025
41 checks passed
@galvana galvana deleted the ENG-1021-adding-signature-v4-for-kms-buckets branch July 30, 2025 05:31
@cypress Cypress
Copy link

cypress bot commented Jul 30, 2025

fides    Run #13180

Run Properties:  status check passed Passed #13180  •  git commit 6fa9cf94e6: Adding signature v4 to S3 client (#6365)
Project fides
Branch Review main
Run status status check passed Passed #13180
Run duration 00m 53s
Commit git commit 6fa9cf94e6: Adding signature v4 to S3 client (#6365)
Committer Adrian Galvan
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 5
⚠️ You've recorded test results over your free plan limit.
Upgrade your plan to view test results.
View all changes introduced in this branch ↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thabofletcher thabofletcher thabofletcher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@galvana @thabofletcher